Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-319 (敏感数据的明文传输) — Vulnerability Class 356

356 vulnerabilities classified as CWE-319 (敏感数据的明文传输). AI Chinese analysis included.

CWE-319 represents a critical security weakness where applications transmit sensitive or security-critical data in cleartext over communication channels susceptible to interception. Attackers typically exploit this vulnerability by employing network sniffing tools to capture unencrypted packets, thereby gaining unauthorized access to confidential information such as login credentials, personal identifiable information, or financial data. This exposure occurs because the data lacks encryption during transit, allowing malicious actors to read the contents without authentication. To prevent this, developers must implement robust encryption protocols, such as TLS or SSL, for all data in transit. Additionally, enforcing strict security policies that mandate encrypted connections for all sensitive communications ensures that data remains protected against eavesdropping and man-in-the-middle attacks, maintaining confidentiality and integrity throughout the transmission process.

MITRE CWE Description
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Common Consequences (2)
Integrity, ConfidentialityRead Application Data, Modify Files or Directories
Anyone can read the information by gaining access to the channel being used for communication. Many communication channels can be "sniffed" (monitored) by adversaries during data transmission. For example, in networking, packets can traverse many intermediary nodes from the source to the destination…
Integrity, ConfidentialityRead Application Data, Modify Files or Directories, Other
When full communications are recorded or logged, such as with a packet dump, an adversary could attempt to obtain the dump long after the transmission has occurred and try to "sniff" the cleartext from the recorded communications in the dump itself. Even if the information is encoded in a way that i…
Mitigations (5)
Architecture and DesignBefore transmitting, encrypt the data using reliable, confidentiality-protecting cryptographic protocols.
ImplementationWhen using web applications with SSL, use SSL for the entire session from login to logout, not just for the initial login page.
ImplementationWhen designing hardware platforms, ensure that approved encryption algorithms (such as those recommended by NIST) protect paths from security critical data to trusted user applications.
TestingUse tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.
OperationConfigure servers to use encrypted channels for communication, which may include SSL or other secure protocols.
Examples (2)
The following code attempts to establish a connection to a site to communicate sensitive information.
try { URL u = new URL("http://www.secret.example.org/"); HttpURLConnection hu = (HttpURLConnection) u.openConnection(); hu.setRequestMethod("PUT"); hu.connect(); OutputStream os = hu.getOutputStream(); hu.disconnect(); } catch (IOException e) { //... }
Bad · Java
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these…
CVE IDTitleCVSSSeverityPublished
CVE-2024-13872 Bitdefender Box Insecure Update Mechanism Vulnerability in libboxhermes.so — BOX v1 7.5 -2025-03-12
CVE-2025-22493 Improper cookie attributes in Foreseer Reporting Software (FRS) — Foreseer Reporting Software (FRS) 5.6 Medium2025-03-05
CVE-2025-24849 Dario Health USB-C Blood Glucose Monitoring System Starter Kit Android Application Cleartext Transmission of Sensitive Information — USB-C Blood Glucose Monitoring System Starter Kit Android Applications 7.1 High2025-02-28
CVE-2024-5462 Brocade Fabric OS may capture SNMP Passwords in clear text — Brocade Fabric OS 7.5 -2025-02-14
CVE-2025-1060 Schneider Electric ASCO 5310和ASCO 5350 安全漏洞 — ASCO 5310 Single-Channel Remote Annunciator 7.5 High2025-02-13
CVE-2025-0556 Telerik Report Server Clear Text Transmission of Agent Commands — Telerik Report Server 8.8 High2025-02-12
CVE-2024-43187 IBM Security Verify Access information disclosure — Security Verify Access Appliance 5.9 Medium2025-02-04
CVE-2023-35017 IBM Security Verify Governance information — Security Verify Governance 5.9 Medium2025-01-29
CVE-2025-0784 Intelbras InControl Registered User usuario cleartext transmission — InControl 3.7 Low2025-01-28
CVE-2025-0631 PowerFlex® 755 Credential Exposure Vulnerability — PowerFlex 755 7.5 -2025-01-28
CVE-2025-0432 HMS Networks Ewon Flexy 202 Cleartext Transmission of Sensitive Information — Ewon Flexy 202 5.7 Medium2025-01-28
CVE-2024-28786 IBM QRadar SIEM information disclosure — QRadar SIEM 6.5 Medium2025-01-27
CVE-2024-41757 IBM Concert Software information disclosure — Concert Software 5.9 Medium2025-01-24
CVE-2024-26155 ETIC Telecom Remote Access Server (RAS) Cleartext Transmission of Sensitive Information — Remote Access Server (RAS) 6.8 Medium2025-01-17
CVE-2024-45102 Lenovo XClarity Administrator 安全漏洞 — XClarity Administrator 6.8 Medium2025-01-14
CVE-2024-42181 HCL MyXalytics is affected by a cleartext transmission of sensitive information vulnerability — DRYiCE MyXalytics 1.6 Low2025-01-12
CVE-2024-11946 iXsystems TrueNAS CORE fetch_plugin_packagesites tar Cleartext Transmission of Sensitive Information Vulnerability — TrueNAS CORE 8.1 -2024-12-30
CVE-2021-39081 IBM Cognos Analytics Mobile information disclosure — Cognos Analytics Mobile for Android 5.9 Medium2024-12-19
CVE-2024-10973 Keycloak: cli option for encrypted jgroups ignored 5.7 Medium2024-12-17
CVE-2024-49820 IBM Security Guardium Key Lifecycle Manager information disclosure — Security Guardium Key Lifecycle Manager 3.7 Low2024-12-17
CVE-2024-49819 IBM Security Guardium Key Lifecycle Manager information disclosure — Security Guardium Key Lifecycle Manager 4.1 Medium2024-12-17
CVE-2024-53246 Sensitive Information Disclosure through SPL commands — Splunk Enterprise 5.3 Medium2024-12-10
CVE-2024-47577 Information Disclosure vulnerability in SAP Commerce Cloud — SAP Commerce Cloud 2.7 Low2024-12-10
CVE-2024-6515 unauthorized file access — ASPECT-Enterprise 9.6 Critical2024-12-05
CVE-2021-29892 IBM Cognos Controller information disclosure — Cognos Controller 5.9 Medium2024-12-03
CVE-2024-9834 Improper data protection on Life2000 ventilator serial interface — Life2000 Ventilation System 9.3 Critical2024-11-14
CVE-2024-32946 LevelOne WBR-6012 安全漏洞 — WBR-6012 5.9 Medium2024-10-30
CVE-2024-8013 CSFLE and Queryable Encryption self-lookup may fail to encrypt values in subpipelines — mongocryptd 2.2 Low2024-10-28
CVE-2024-49387 Acronis Cyber Protect 安全漏洞 — Acronis Cyber Protect 16 7.5 -2024-10-15
CVE-2024-9620 Event-driven automation in ansible automation platform (aap): ansible event-driven automation (eda) lacks encryption 5.3 Medium2024-10-08

Vulnerabilities classified as CWE-319 (敏感数据的明文传输) represent 356 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.